Security Risk Controls in the Medical Device Technical File

Luke Hill
  • By Luke Hill
  • Co-Founder of Cyber Alchemy
XXX

A Mantra Systems x Cyber Alchemy Perspective - Episode 3

This article is published in partnership with Cyber Alchemy. Mantra Systems specialises in medical device regulatory strategy and technical documentation for UK and EU MDR/IVDR pathways. Cyber Alchemy focuses on cybersecurity, helping teams develop and evidence security for software-enabled and connected medical devices. Together, we're producing a practical series for MedTech teams: what to build, what to defer, and how to avoid rework when moving between UK, NHS procurement, and EU routes.

Reviewers do not assess your security. They assess your evidence of it.

The pattern we see most often in late-stage submissions: the security is fine, sometimes seriously impressive, but the technical file presents it as a mix of tool screenshots, generic policies, a penetration test PDF stapled in near the back, and a sentence that says, in effect, “we take security seriously.” The reviewer cannot work out, in a reasonable amount of time, what threats the product faces, what controls address them, and what evidence proves those controls work. So they ask. And ask. And the clock keeps moving.

This is what this article is about. Episode 1 covered what minimum viable cybersecurity evidence looks like across UK, EU and NHS routes. Episode 2 covered why nonconformities happen and how to recover. This article sits between the two: it is about the controls themselves, and specifically about how to present them so they read as evidence, quickly, traceably, and without inviting the kind of questions that turn a six-week conformity assessment into a six-month conversation. It is also the cybersecurity companion to our joint Webinar #1 with Mantra SystemsFrom Nonconformity to Approval.

Key takeaways

  • Good controls in a bad evidence format generate findings. Reviewers cannot give you credit for security work they cannot follow. The fastest improvement in most files is structural, not technical.
  • Three properties make controls read well: scoped (the boundary and assumptions are explicit), traceable (threats map to controls map to verification), and navigable (a reviewer can find anything in minutes, not days). This article explains how to evidence each of them.
  • Five artefacts do most of the work: a boundary and interface inventory, a threat-to-control-to-verification table, an SBOM coverage statement linked to vulnerability triage, a pen-test scope rationale tied to the device boundary, and an access control and audit logging narrative. Get those five right and the rest is easier.
  • The most common findings are documentation gaps, not security gaps. Reviewers raise issues because they cannot follow the evidence, not because a control is missing, so the fix is usually to re-shape work you have already done.
  • The artefacts that get controls past a reviewer are the same ones that survive post-market, which is the subject of Episode 5 of this blog series. Build them once, in a maintainable shape, and they keep paying back.

Companion perspective (Mantra Systems)

This article focuses on the cybersecurity side: how to evidence security risk controls so a notified body, the FDA, or an NHS assessor can follow the logic from threat to verification quickly. The companion piece from Mantra Systems covers how the same principle applies across design controls, clinical risk controls, usability controls, and post-market surveillance: the wider risk control story your file needs to tell.

Why this matters now

1) Security evidence is being asked for earlier in the lifecycle

Five years ago, a software-enabled medical device could often reach pilot with a high-level security policy, a one-off penetration test, and a verbal assurance that “the cloud is secure because AWS is secure.” That window has closed. Procurement teams now send detailed security questionnaires before clinical sign-off. NHS trusts run DTAC due diligence at pilot stage. Investors commission third-party diligence at Series A. And under EU MDR Annex I (GSPR 17.2 and 17.4), notified bodies increasingly look for explicit minimum IT security requirements for the intended environment, plus a state-of-the-art lifecycle that includes information security. The same artefacts now need to satisfy more audiences, more often, and earlier, and be presented well enough that none of them asks the same question twice.

2) “What does good look like?” is a regulator question now, not a vendor one

IEC 81001-5-1 (security activities in the product lifecycle), AAMI TIR57 (risk management for security) and MDCG 2019-16 (medical device cybersecurity guidance) all converge on the same expectation: that security risk controls are the visible output of a defined lifecycle process, traceable to threats, verified, and maintained. The FDA’s Section 524B premarket guidance asks for substantially the same evidence story in different vocabulary. DTAC v2.0 (from 6 April 2026) sharpens what NHS procurement expects to see. The frameworks differ in detail but agree on the spine: threats, controls, verification, residual risk, post-market.

Same spine three regulators: EU MDR, FDA 524B and DTAC mapped to the evidence spine

The same evidence base, mapped to EU MDR, FDA 524B and NHS DTAC. Build it once, then package for each route.

For a fuller side-by-side of what each market expects, and where the evidence overlaps, see Cyber Alchemy’s Access to Markets guide.

3) This article sits inside a recovery arc

In the previous article we wrote that the gap between security that exists in the product and security that exists in the documentation is almost always closable, but it takes structured, methodical work. This article is the structural template for that work: what reviewer-readable looks like before there is a finding to recover from, and the shape a corrective action plan tends to take if there is one.

What good looks like

Security risk controls read well when three properties are true at once.

Scoped. The boundary of the device, what is in scope, what is out of scope, and what assumptions you are making about the environment, is explicit on the first page a reviewer reads, not implicit in an architecture diagram on page 47. Most disputes about controls are actually disputes about boundary. If a reviewer thinks the device includes the hospital network and you do not, your controls will look incomplete to them and excessive to you. Resolve this in writing, up front.

Traceable. A reviewer can follow a single line from a credible threat, through the control that addresses it, to the verification evidence that proves the control works, to the residual risk that remains. The line is short, the references are stable, and the artefacts referenced actually exist where the document says they do. Traceability is the spine of “state of the art” under MDCG 2019-16 and the spine of “reasonable assurance of cybersecurity” under FDA 524B. It is the same idea.

Navigable. A reviewer can answer a specific question (how is patient data protected in transit? what happens if an update fails? who can change device configuration?) in minutes, by going to a named artefact. The index works. The references resolve. The pen-test scope matches the boundary diagram. The SBOM matches the build. The logging description matches what the system actually emits.

A useful litmus test: hand the file to a smart engineer outside your team and ask them to summarise your security posture in a paragraph and point to the evidence behind each claim. If they can produce something reasonable in thirty minutes, the file is well-shaped. If they cannot, you probably have a presentation problem rather than a controls problem, which is good news, because presentation problems are faster to fix.

The evidence spine: boundary, threats, controls, verification, residual risk, post-market

The evidence spine: a single traceable line, and where each piece of evidence lives.

The minimum artefacts list

For most software-enabled and connected medical devices, the minimum set of artefacts that makes security controls read well is short. Each answers a question a reviewer is going to ask. The point is to have one named, versioned, releasable artefact per question, not the same content scattered through ten documents.

  • Boundary and interface inventory. Names every external interface, every trust boundary, and every shared-responsibility line.
  • Threat model summary focused on credible abuse cases for the intended environment. STRIDE-aligned is great. What matters is that the threats are real for your device.
  • Threat to control to verification traceability table. The single most useful document in the file. Top threats, with stable IDs, one sentence per column.
  • Verification evidence index. Every piece of test evidence referenced by a stable ID, tied to a product version, with an owner.
  • Penetration test evidence summary. One page in front of the report: scope rationale, what was in and out, remediation, retest status, and limitations. An overview of the company that did the assessment and their qualifications e.g. CREST accreditation, is also useful to demonstrate quality.
  • SBOM coverage statement plus a vulnerability triage log with one worked example. The SBOM is not the evidence; the worked example showing detection → assessment → decision → closure is.
  • Access control and audit logging narrative. Roles, privileged actions and how they are protected, what is logged, who can read the logs, retention, tamper protection.
  • Secure update and patch policy statement that is honest about what you can deliver.

That is the spine. If those eight artefacts are present, versioned, internally consistent, and cross-referenced, most of the questions a reviewer will ask have answers waiting for them.

Common failure patterns

These are the patterns we see most often when teams ask us to look at a file before submission, or after a finding has arrived. None of them are about bad security. They are about evidence formatting.

Controls are described as intentions, not testable behaviours

“We use encryption.” “Access is restricted.” “Logs are protected.” A reviewer cannot do anything with these sentences. They are statements of intent, not specifications of a control. A control should be written as something testable: what is encrypted, with what algorithm, with what key management, verified by which test, with the evidence stored where. Three short clauses turn an intention into a control.

Intention versus control: vague claims beside testable, evidenced controls

Three short clauses, what it is, how it works, and how it is verified, turn an intention into a control.

Penetration test scope does not match the device boundary

The most expensive mistake we routinely find. A test was commissioned in good faith, often by a capable testing firm, but the statement of work scoped it to the cloud APIs and ignored the mobile app, or scoped it to the mobile app and ignored the firmware update path, or scoped it to the development environment and not the production build. The report is real, but it does not test the boundary in the technical file. Pen tests should follow boundary alignment, not precede it; the scope must read like a paragraph from your technical file.

SBOM exists but does not connect to anything

When Log4j was disclosed in late 2021, manufacturers with an automated, release-tied SBOM answered the “are we affected?” question in minutes. Manufacturers with an SBOM exported to a PDF eighteen months earlier answered it in weeks. An SBOM by itself is not evidence; the evidence is the chain:

coverage statement → CVE monitoring workflow → triage log → at least one worked example from detection to closure.

Under both EU MDR and FDA 524B the SBOM obligation runs through the product lifecycle, not just to the point of submission.

Logging is implemented but not described

A surprising number of files implement excellent audit logging (privileged actions logged, retention defined, tampering protections in place) and then describe none of it. From a regulatory evidence perspective, an undescribed log is the same as no log. The fix is one page: what events are logged, why those events, who can read the logs, retention, and how the logs are protected from modification.

Access control is implied in the architecture but not evidenced

“Role-based access control is in place” is a sentence, not a control. The control is the role catalogue (clinician, patient, administrator, support engineer) with allowed actions per role; with privileged actions explicitly named (configuration change, user management, remote support, data export); with how those actions are protected (MFA, step-up auth, time-bound access, approvals); and with where this is verified. Five lines on a page, consistently formatted across every privileged pathway.

“Future-state” controls written as if they were current

The one that turns a manageable conformity assessment into a non-conformity. A control is described in the file in the form it will take after the next release, not as it currently behaves in the shipped product. The reviewer tests against the file. The behaviour does not match. As Episode 2 covered, missing your own stated controls is how most cybersecurity nonconformities happen. Write controls that describe the release being submitted, and use change control to update them when the product changes.

Practical steps: five patterns that pay back fast

The fastest way to improve reviewer readability is to take a small number of high-leverage controls and present them in a consistent evidence format. The patterns below are the ones that usually deliver the biggest reduction in questions. None of them require new security work. They re-shape work that is, most of the time, already done.

Pattern 1: threat to control to verification traceability

The single most useful document in a well-shaped technical file is a traceability table that connects each material threat to the control that addresses it and the verification evidence that proves the control works. Done well, it removes most of the follow-up questions reviewers ask, because most of those questions are reviewers reconstructing this table for themselves. Every row has the same shape:

  • Threat ID and one-sentence description (“T-014: tampering with patient identifiers in transit between mobile app and cloud API”).
  • Risk rating, using the same scale as the wider device risk file so it lines up with the clinical risk language.
  • Control ID and one-sentence description (“C-022: mutual TLS with certificate pinning and short-lived tokens between mobile app and API”).
  • Verification reference (“V-022.1: pen test 2026-03, finding 4 retested 2026-04, see Annex C”).
  • Residual risk note: what is left, why it is acceptable, and what monitoring catches drift.

Three rules make the table actually useful. IDs are stable across releases, so a reviewer comparing this submission to the previous one can see what changed. Verification references resolve, so clicking V-022.1 takes you to the actual test record. And “verified by inspection” is fine as an evidence type, but it has to point at a specific inspection record with a date, an inspector, and a result. Threat modelling itself should align with a recognised framework (STRIDE is the most common and pairs well with AAMI TIR57), but the framework matters less than the discipline of producing threats that are credible for your intended environment.

Threat Risk Control Verification Residual risk
T-014: Tamper with patient IDs in transit (app to cloud API) High C-022: Mutual TLS, cert pinning, short-lived tokens V-022.1: Pen test 2026-03, finding 4 retested 2026-04 (Annex C) Low; TLS-error alerting
T-031: Unauthorised config change by support engineer High C-040: Step-up MFA + time-bound, approved config access V-040.2: Access review 2026-02; config-change log (Annex D) Low; quarterly recert
T-008: Known CVE in third-party library reaches production Med C-015: Release-tied SBOM + CVE triage workflow V-015.3: Triage log CVE-2026-0412, closed 2026-04 Low; continuous CVE monitoring
T-022: Failed update leaves device in unsafe state High C-051: Signed updates, auto rollback to last-good image V-051.1: Release test on representative hardware, build 4.2.1 Low; rollback verified each release
T-045: Audit logs altered to hide misuse Med C-033: Append-only, access-controlled logs with integrity checks V-033.2: Config snapshot + tamper-alert test (Annex E) Low; integrity alerts monitored

Example threat-to-control-to-verification table. Stable IDs, one sentence per column, references that resolve.

Pattern 2: SBOM and vulnerability management as a workflow, not a document

The SBOM is not the evidence the reviewer wants to see. The workflow around the SBOM is. Three things, in this order: a coverage statement (what is in, what is excluded and why, how it is generated, build-time, release-tied, in SPDX or CycloneDX, and how often it is regenerated); a CVE monitoring workflow (which feeds, who triages, against what criteria, such as exploitability in your deployment context, safety impact, realistic exposure, and availability of mitigation short of a code change); and a triage log with at least one worked example from detection to closure.

The worked example carries more evidential weight than the policy. A reviewer who reads “CVE-2025-XXXX was assessed on date X; rated low-exploitability for our deployment because Y; mitigated by Z action; verified by retest on date W; closed by [name]” learns more about your vulnerability management than any number of policy paragraphs. A maintained SBOM connected to a CVE monitoring workflow is also the foundation of how you survive the next Log4j-class event, which Episode 5 will explore in the post-market context.

SBOM as a workflow: coverage, monitoring, triage, decision and closure with a worked CVE example

From SBOM coverage to a closed, dated worked example. The workflow, not the document, is the evidence.

Pattern 3: penetration test evidence formatting

A pen test report on its own is almost never a piece of evidence in the form a reviewer wants. The report is the raw material. The evidence is a one-page summary in front of the report that does four things:

  1. States the scope and the rationale for it. “The test covered the cloud APIs, mobile application and OAuth flow between them, against build 4.2.1. It did not cover the firmware update path, which is covered by a separate vendor-supplied attestation under reference V-031.”
  2. Summarises findings by severity, with one sentence per high or critical: what it was, what was done, when it was retested, with the retest evidence ID.
  3. States the limitations of the test honestly. Time-boxed engagements have limits; black-box has limits; grey-box has different limits. Saying so prevents the reviewer concluding the limits themselves and asking about them.
  4. Connects retest evidence to the original findings. The retest is what closes the finding, not the original report.

Two anti-patterns to avoid. Do not embed a 60-page report in the technical file body; reference it as an annex with a stable ID and put the summary at the front. And do not paste raw tool output (CVSS scores from a scanner, screenshots from a fuzzer) as evidence on its own; tool output is data, not interpretation. On cadence, there is no universal interval; “annual plus triggers” (major release, new integration, significant architectural change, new class of vulnerability) is the framing that holds up under most reviews. Document the cadence and stick to it.

Pattern 4: access control and audit logging that read well

Two of the most asked-about areas in any security review, and both easier to evidence than they look. Start with a role catalogue. Name every role the system supports and the allowed actions per role; be specific. “Administrator” is not a role; “tenant administrator who can create users and reset MFA but cannot read patient data” is a role. If a single human can become any role at any time, that is a privilege escalation path and it needs to be named.

Then list privileged actions explicitly (configuration change, user management, remote support session, data export, key rotation, code deployment to production), and for each, how the action is protected (MFA, step-up auth, approval workflows, time-bound access, break-glass procedures) and how it is logged.

The audit logging description is one page: what events are logged, why, where logs are stored, who can read them, retention, how they are protected against modification, and how tampering would be detected. The same page works in front of DTAC, EU MDR, FDA, and procurement diligence. Evidence the design with two artefacts: the one-page narrative, and a verification record (a configuration snapshot from the release under review, plus a sample of log output demonstrating the events described actually appear).

Field Worked example: privileged action “remote support session”
Claim Remote support sessions are restricted, authenticated, time-bound and fully logged.
Control design Engineers request access via an approval workflow; access is role-scoped (no patient-data read), protected by step-up MFA, time-boxed to 60 minutes, and auto-revoked. Each session opens an audit record.
Verification Configuration snapshot from build 4.2.1 showing session limits; sample session log demonstrating start, actions taken, and revocation.
Evidence IDs C-040 (control), V-040.2 (verification record), Annex D (log sample).
Limitations / assumptions Assumes the customer manages their own identity provider and endpoint security. Break-glass access is separately logged and reviewed within 24 hours.

Access control evidence template, filled in for one privileged action. Use the same shape for every privileged pathway.

Pattern 5: secure updates and patching, evidenced without overpromising

This is where files most often write a cheque the post-market team cannot cash. Episode 2 covered why ambitious patch policies turn into nonconformities; the controls side of the same problem is to write update and patch evidence that reflects what your operating model actually delivers. Four short artefacts cover most of what reviewers want to see:

  1. A one-page update mechanism summary: what is signed, how signatures are verified, how keys are managed, and how the device behaves during and after an update.
  2. A rollback or safe-state statement: if an update fails, what does the device do, and how is the user informed. Honest answers are far more credible than aspirational ones.
  3. Patch decision criteria: severity tier, exposure in deployment context, safety impact, mapped to an action path (hotfix, next release, monitor with mitigation, accept). The criteria link directly to the vulnerability triage log.
  4. Verification references: CI/CD checks demonstrating signing in the build, release test evidence demonstrating a sample update completing on representative hardware, and one worked example of an update verification record.

On timelines: EU MDR (via MDCG 2019-16) says “timely”. FDA Section 524B says “reasonably justified regular cycle” for known unacceptable vulnerabilities and “as soon as possible out of cycle” for critical vulnerabilities causing uncontrolled risk. DTAC frames expectations through Cyber Essentials and the DSIT Software Security Code of Practice. None of these prescribe a number. Whatever you state in your own QMS or technical documentation becomes the number you are audited against. Pick something you can sustain in clinical deployment.

Severity Exposure in deployment Safety impact Action path Evidence produced
Critical Exploitable in clinical deployment Could affect patient safety Out-of-cycle hotfix, as soon as possible Triage entry + emergency release record + retest
High Reachable, mitigations available Limited or indirect Expedited or next scheduled release, per triage Triage entry + release test evidence
Medium Not exposed in current configuration None identified Monitor with documented mitigation; fix in routine release Triage entry + mitigation note
Low No realistic exposure None Accept with rationale; review on change Triage entry + residual-risk rationale

Patch decision criteria mapped to action paths and the evidence each path produces.

The practical patterns in this article are the same ones we walked through in Webinar #1, our joint session with Mantra Systems on recovering from notified-body nonconformities and preventing them from recurring. The webinar covered the integrated clinical-and-cyber recovery blueprint, including a worked turnaround story, the seventy-two-hour triage steps, and the artefacts that turn a finding into a closed file.

Watch the recording on LinkedIn or YouTube.

Free downloads

System Boundaries: Who Controls What (PDF)
A one-page reference for one of the most common evidence problems in connected-device files: where your security responsibility ends and the customer's begins. Covers device and firmware, mobile applications, cloud and backend, integrations (EHR and APIs), and shared responsibilities, with the explicit assumptions that need to be written into your technical documentation. The example boundary diagram on the second page is the shape we recommend most teams adopt.
10 Core Procurement Artefacts (PDF)
The checklist we use to keep procurement and assurance work from becoming a last-minute scramble. It covers the ten artefacts most frequently requested across DTAC, EU MDR and private procurement, including security architecture and boundaries, threat model and risk register, the threat-to-control-to-verification traceability matrix discussed in this article, SBOM and vulnerability monitoring, a VDP/PSIRT route, patch policy, security test evidence, logging and monitoring approach, supplier security controls, and incident response, plus a suggested cadence for keeping them current.

Companion perspective and next step

Mantra Systems’ companion article walks the same idea across the wider risk control story (design controls, clinical risk controls, usability controls and post-market surveillance), and shows how reviewers expect those controls to tie together in the technical file. Read both to get the full picture of controls as evidence rather than controls as paperwork.

Read the companion perspective from Mantra Systems – Understanding Risk Management for SaMD

Next step: book a joint review

If you want an evidence-first view of where your security risk controls currently stand against EU MDR, FDA Section 524B and NHS DTAC, and a clear sense of what to fix first, book a joint review with Cyber Alchemy and Mantra Systems. In your free 30 minutes review, we will:

  1. Clarify your system boundary, intended environment, and the assumptions your technical documentation currently implies.
  2. Identify the top three cybersecurity assurance gaps in your current evidence, and how they connect to the wider clinical and regulatory story.
  3. Agree the minimum artefacts and verification evidence needed for the route you are targeting, so you do not overbuild for markets you may never enter.
  4. Turn the above into a short, prioritised action plan you can execute over the next two to four weeks.

Book your free joint review

FAQs

  1. It means presenting your security risk controls as a traceable chain a notified body can follow without prompting: from a credible threat (in line with MDCG 2019-16 and GSPR 17.2/17.4), to the control that addresses it, to the verification evidence that proves the control works, to the residual risk that remains. The controls themselves are not new; what makes them evidence is that the chain is explicit, stable, and tied to the release on the market.

  2. Substantially yes, in different vocabulary. FDA 524B asks for a Secure Product Development Framework, a release-tied SBOM with lifecycle vulnerability monitoring, and a defined approach to vulnerability disclosure and patching. EU MDR (through GSPR 17.2/17.4 and MDCG 2019-16) asks for a state-of-the-art lifecycle, threat-to-control traceability, and demonstrable verification. The spine is the same: if your evidence is shaped right for one, it is mostly shaped right for the other, with packaging differences.

  3. DTAC (technical security under the C3 domain, with the v2.0 form required from 6 April 2026) leans on Cyber Essentials and the DSIT Software Security Code of Practice. The artefacts that satisfy a notified body or the FDA (boundary, traceability table, SBOM and vulnerability triage log, pen-test summary, logging and access control narrative) also satisfy most of what an NHS assessor needs, with a DTAC-specific summary in front. Build the truth once; package it for the audience.

  4. STRIDE is a sensible starting point and one we always recommend due to its versatility and ease of use. PASTA, LINDDUN (for privacy-heavy systems), or attack trees can be appropriate depending on the device. The framework matters less than the discipline of producing threats that are credible for your intended environment, with a stable ID per threat, and a clear path into your control set.

  5. There is no universal interval. Annual is a reasonable floor; 'annual plus triggers' (major release, significant architectural change, new integration, new class of vulnerability) is the framing that holds up under most reviews. A defensible cadence you actually meet is worth more than an aspirational one you miss.

  6. No. The artefacts described here are the same ones you would build during a corrective action plan, and a pre-emptive evidence pass before review questions arrive is usually faster than reacting to them. Most teams find that one to two weeks of structured work shifts a file from answering questions to anticipating them, which is the difference between a long review and a short one.

About the author

Luke Hill, Senior Security Consultant at Cyber Alchemy

Luke brings deep expertise in security consultancy, penetration testing and regulatory‑aligned security measures in the Health and Social Care sector. He leads Cyber Alchemy’s technical and regulatory efforts in the MedTech space, supporting a broad range of MedTech companies in building resilient devices and applications that comply with complex UK, US, and EU regulations.

Articles in this series

Episode 1 from Mantra Systems
Where to Launch First? A MedTech Founder's Regulatory Roadmap to the EU, UK and US
Episode 1 from Cyber Alchemy
EU MDR & NHS DTAC Cybersecurity Requirements for UK Market Entry
Episode 2 from Mantra Systems
How to handle non-conformities and get back on track
Episode 2 from Cyber Alchemy
EU MDR, FDA 510(k) and DTAC Cybersecurity Nonconformities: How to Recover
Episode 3 from Mantra Systems
Understanding Risk Management for SaMD
Episode 3 from Cyber Alchemy
Security Risk Controls in the Medical Device Technical File

Related articles

  1. Stopping the collapse of dominoes by placing finger on a red risk dominoe.

    Understanding Risk Management for SaMD

    Practical guidance on SaMD risk management under EU MDR — from component-level hazard identification to Post-Market Surveillance and ISO 14971 traceability.

    Megan Allen Megan Allen Regulatory Medical Writer
  2. A concerned medical device software developer considering the complexities of regulatory compliance

    Avoiding slow SaMD approval: A guide to faster market entry

    Most SaMD developers make avoidable mistakes that add months to approval. Here's what they are and how to sidestep them.

    Paul Hercock Paul Hercock CEO & Founder
  3. US and EU flag signposts pointing in different directions

    Top 5 mistakes US manufacturers make when entering the EU market

    Expanding into the EU market? Discover the five most common regulatory mistakes U.S. medical device manufacturers make — and how to avoid them.

    Aastha Kothari Aastha Kothari Regulatory Medical Writer
  4. A process flow leading to a cybersecurity evidence pack

    EU MDR, FDA 510(k) and DTAC Cybersecurity Nonconformities: How to Recover

    This guest article shows how these cybersecurity nonconformities happen, what recovery actually involves, and what to build so you don't go back.

    Neil Richardson Neil Richardson Co-Founder of Cyber Alchemy
  5. Turning blocks from crosses to ticks

    How to handle non-conformities and get back on track

    A practical guide to understanding why non-conformities happen, the most common issues in medical device submissions, and how to resolve them efficiently to get you back on track.

    Dr Will Brambley Dr Will Brambley Lead Medical Writer
  6. US and EU flags on poles alongside each other.

    Clinical Evidence under EU MDR: Leveraging FDA Clinical Data to Streamline EU MDR Compliance

    FDA clearance alone is not sufficient for European market access - a theme we explore futher in this article and the accompanying webinar.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  7. 3 people in an office in front of a whiteboard with the words 'Medical Device Market Entry Strategy' written above a world map.

    EU MDR & NHS DTAC Cybersecurity Requirements for UK Market Entry

    This guest article shows you how to build cybersecurity evidence for the EU MDR and NHS DTAC.

    Luke Hill Luke Hill Co-Founder of Cyber Alchemy
  8. An illustration showing a GPS-driven navigation route superimposed upon someone using a laptop.

    Where to Launch First? A MedTech Founder's Regulatory Roadmap to the EU, UK and US

    All three markets operate under different regulatory systems and place different demands on manufacturers.

    Ronghe Xu Ronghe Xu Regulatory Medical Writer & Strategic BD Lead China
  9. A woman uses an inhaler.

    Navigating EU MDR Article 117: A Practical Guide to Drug-Device Combination Product Submissions

    Implementation of the EU MDR 2017/745 has brought significant changes.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  10. Collage art showing a pair of binoculars, an analogy for surveillance.

    How EU MDR Post Market Surveillance differs from FDA post-market expectations

    EU MDR and FDA post-market obligations aren't as similar as you might think. Here's what manufacturers need to know.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  11. An arrow arcs from the US over to Europe.

    How EU device classification differs from the US - Are you prepared?

    Did you know an FDA Class II medical device could be immediately considered as a high-risk Class III device under European Union regulations?

    Gabriela Cardoso Gabriela Cardoso Regulatory Medical Writer
  12. A magnifying glass inspecting a number of wooden cubes with question marks upon them laid upon a blue table. The wooden cube under the magnifying glass has a lightbulb painted on it.

    Fixing the MDR and IVDR? The Commission’s Proposed Amendments and What They Mean for Manufacturers

    Exploring the key elements of this proposal.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  13. Two arms point at a sign and hold a question mark, in an abstract pop-art style.

    Regulatory Reset? The EU’s Proposed Changes to MDR and IVDR Explained

    Changes published in December 2025 aim to streamline EU medical device and in vitro diagnostics. We explain who is impacted and how.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  14. A pair of glasses rests on an eye test chart.

    Did You Know Your Glasses Were a Medical Device? A Regulatory Guide for Manufacturers

    The importance of correct classification and our recommended path to avoid common ophthalmic device 'gotchas'.

    Gabriela Cardoso Gabriela Cardoso Regulatory Medical Writer
  15. A precariously balanced pile of ping-pong balls and wooden bars.

    The Shift from MDD to MDR: Key Differences in Demonstrating Equivalence

    This transition has demanded that device safety must be demonstrated with more evidence. We offer tips for winning equivalence claims.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  16. A pen and notepad, resting on a laptop.

    Periodic Safety Update Report: Requirements under EU MDR

    Post-Market Surveillance has become more stringent. We help you to understand what manufacturers need to consider.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  17. An EU flag on a pole flies between two US flags against a blue sky.

    Webinar: From USA to Europe - Accelerating Your Path to the Medical Device Market

    We showed you how to quickly transform your U.S. regulatory work into a compliant EU MDR submission.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  18. A poster frame for our Clinical Evaluation video series featuring Paul Hercock.

    Guide to Clinical Evaluation: Common Pitfalls & Useful Resources

    Part 5 - In the final video from this series, we explore five major pitfalls that often derail clinical evaluations.

    Paul Hercock Paul Hercock CEO & Founder
  19. A US-style 'changes ahead' warning road sign.

    Device Modifications: When a Simple Change Becomes a Regulatory Nightmare

    As regulatory consultants we understand how minor modifications to a device can often cause disproportionate disruption.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  20. Webinar announcement poster.

    Webinar: Regulatory & Cybersecurity Essentials for medical device software and AI-enabled devices

    Our webinar with Cyber Alchemy addressed bringing AI-enabled medical devices to market with both the right regulatory and cybersecurity foundations.

    Shen May Khoo Shen May Khoo Regulatory Project Lead
  21. A simple jigsaw with iconography representing growth printed on it.

    Leveraging Post-Market Surveillance Data for Continuous Improvement

    PMS isn’t just about compliance, it’s an opportunity for improvement, enhance patient safety & innovate.

    Shen May Khoo Shen May Khoo Regulatory Project Lead
  22. A poster frame for our Clinical Evaluation video series featuring Dr. W. Brambley.

    Guide to Clinical Evaluation: CEP Strategy & CER Structure

    Part 4 - We explore how these guide reviewers through the evidence that supports safey, performance, and conformity.

    Dr Will Brambley Dr Will Brambley Lead Medical Writer
  23. A checklist being ticket-off in pen.

    The Critical Role of Pre-Submission Reviews in EU MDR Clinical Evaluations

    Ensuring your CER is robust and aligned with current standards is critical. How much Clinical Evidence is enough?

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  24. A poster frame for our Clinical Evaluation video series featuring Dr. W. Brambley.

    Guide to Clinical Evaluation: The State-of-the-Art (SOTA) Literature Review

    Part 3 - This is core of a sucessful submission. Will demystifies the process and explains how it supports clinical evaluation.

    Dr Will Brambley Dr Will Brambley Lead Medical Writer
  25. An orange tabletop with wooden question mark blocks laid upon it.

    Regulatory Update: EU Borderline & Classification Manual for medical devices v4

    New examples sharpen the distinction between medical devices and other product categories, such as pharmacologically active substances and aesthetic-only products.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  26. A poster frame for our Clinical Evaluation video series featuring Dr. P. Boxall.

    Guide to Clinical Evaluation: Clinical Evaluation in Context

    Part 2 - A clinical evaluation demonstrates that a device is safe and effective, but achieving this requires more than simply compiling studies.

    Dr Peter Boxall Dr Peter Boxall Lead Medical Writer
  27. A poster frame for our Clinical Evaluation video series featuring Dr. P. Hercock.

    Introducing Our Guide to Clinical Evaluation Video Series: Building Strong Submissions Under MDR

    First of a five-part series of step-by-step guides.

    Paul Hercock Paul Hercock CEO & Founder
  28. A digitally generated image of a checklist being completed on a laptop computer.

    Maximise your success with our Clinical Evaluation pre-submission check

    We’re announcing the launch of a new service designed to help you with CER, CEP, and SOTA documentation – ensuring that documents meet Notified Body expectations and accelerating your route to market.

    Shona Richardson PhD Shona Richardson PhD Regulatory Project Lead
  29. Webinar announcement poster.

    Regulatory Strategy Essentials for Digital Health: Key Takeaways from Our Webinar

    We showed how to accelerate your runway to market through actionable steps that will shave months off your route to regulatory approval.

    Dr Peter Boxall Dr Peter Boxall Lead Medical Writer
  30. A laptop projects an alert to a user sitting at a desk.

    Vigilance & Incident Reporting: Everything You Need to Know

    Navigating the Complexities and Ensuring Patient Safety in Medical Devices.

    Gabriela Cardoso Gabriela Cardoso Regulatory Medical Writer
  31. An EU and US flag lying together.

    Achieving EU MDR approval when you are cleared under FDA

    Our guide to navigating the transition from FDA clearance to EU market access.

    Chandini Valiya Kizhakkeveetil Chandini Valiya Kizhakkeveetil Regulatory Medical Writer
  32. Some binocular-hand eyes as an analogy for surveillance.

    Post-Market Surveillance (PMS): Understanding PMCF & Vigilance under the EU MDR

    These serve distinct purposes and have different methodologies under the MDR framework. We breakdown each.

    Ronghe Xu Ronghe Xu Regulatory Medical Writer & Strategic BD Lead China
  33. A vision testing device.

    Implementing Master UDI-DIs: Key Insights from MDCG 2025-7

    Grouping devices with design similarities under a common Eudamed ID could unify them under a single master UDI-DI

    Dr Will Brambley Dr Will Brambley Lead Medical Writer
  34. A person studying at a desk with pad and paper.

    In the World of Regulatory Writing: 5 Lessons Learned

    Let’s break down some key lessons learned from the writing process and share practical tips to navigate them with clarity (and your sanity) intact.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  35. Poster frame for video with Sue Kemp.

    Do you have the clinical evidence you need to support regulatory approval?

    Sue Kemp makes the case for implementing clinical strategy from day one.

    Paul Hercock Paul Hercock CEO & Founder
  36. An actual conventional UK passport.

    A New Era for NHS Innovation: ‘Innovator Passports’

    A digital fast-track system aims to transform how new medical technologies are adopted across the NHS, cutting red tape and accelerating access to medtech.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  37. LinkedIn live webinar poster.

    From Idea to Approval: Get MDR Ready With Our LinkedIn Live

    An upcoming LinkedIn Live session with Dr. Zhong Wei Khor tailored specifically for healthtech founders.

    Paul Hercock Paul Hercock CEO & Founder
  38. A man crosses a high-wire across a forest.

    The Never-Ending Document Updates: Navigating Changing Regulations

    Just because you’ve submitted a document, it doesn’t mean the work is done. Clinical Evaluation Reports, Risk Management Files or PMS plans will all need updating.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  39. A judges gavel sat infront of a Union Jack flag.

    UK Medical Device Regulations Set for Major 2026 Update

    The UK government is preparing to introduce a second major update to the regulatory framework for medical devices, with new pre-market requirements expected to come into effect in 2026.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  40. Video poster frame for Episode 3 of our series.

    Clinical Evaluation Masterclass: It is not clear that any systematic search methods were used for the literature review – Episode 3

    Addressing non-conformities isn’t just about avoiding negative outcomes; it’s about building a robust, evidence-based foundation.

    Paul Hercock Paul Hercock CEO & Founder
  41. A woman writes notes at her desk.

    Regulatory Writing Deadlines: The Pressure to Get It Right the First Time

    Anyone who’s worked in the medical device industry knows that regulatory deadlines aren’t just part of the process—they define it.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  42. Medical phone software being used to communicate with a monitor placed on a mans skin.

    IEC 62366-1:2015 Demystified – Essential Usability Testing for Medical Devices

    What should be included in a Usability Engineering File? What steps do you need to take to ensure compliance and meet standards?

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  43. Video poster frame for Episode 2 of our ongoing series.

    Clinical Evaluation Masterclass: Appraisal of literature sources has not been conducted properly - Episode 2

    Our ongoing series covers one of the most frequent reasons for CER rejection: a poor appraisal of literature sources.

    Paul Hercock Paul Hercock CEO & Founder
  44. A lone figure navigates a rocky coastline.

    Navigating CAPA Terminology: Key Terms for Medical Device Professionals

    We define and explain the language required to work within a Quality Management System (QMS).

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  45. Video poster frame for Episode 1 of our new series.

    Clinical Evaluation Masterclass: Overcoming Non-conformities - Episode 1

    In this series, we work step-by-step through common Non-Conformities to ensure you are always ahead of possible challenges on the way to MDR approval.

    Paul Hercock Paul Hercock CEO & Founder
  46. A man carefully steps across a cliff-face. An analogy for assessing risk.

    Top 5 Common Pitfalls to Avoid During Risk Assessment

    Learn how to sidestep costly mistakes which manufacturers commonly make. From hazard ID to post-market surveillance, we help you improve safety and speed up approvals.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  47. A label maker printing bar-code labels.

    Labelling 101: A Comprehensive Overview for Medical Device Manufacturers

    Labelling and packaging are critical elements to ensuring safety, compliance, and ease of use.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  48. An illustration of a brain-shaped object on an abstract background.

    European Commission Guidelines on Prohibited Artificial Intelligence Practices

    Summary of the 8 AI practices prohibited by the EU 2024/1689 artificial intelligence (AI) Act.

    Dr Clare Dixon Dr Clare Dixon Regulatory Specialist
  49. A compass being used to navigate across mountainous countryside.

    Navigating Non-Conformities in Technical Documentation

    We explore how to manage non-conformities effectively and implement Corrective and Preventive Actions (CAPAs).

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  50. A photograph of a literal maze that we're using as a clever metaphor.

    Mastering the EU MDR: Essential Steps for Compliance-Ready Docs

    If you're uncertain about the readiness of your EU MDR documentation, this article provides an overview of the essential steps to ensure you’re on track.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  51. An illustration showing scientists at work.

    A Guide to Electronic Instructions for Use (eIFU)

    Electronic Instructions for Use (eIFUs) are set to revolutionise how medical device instructions are delivered. We explore what this means for you.

    Dr Will Brambley Dr Will Brambley Lead Medical Writer
  52. Two helicopters look as if they are about to collide: An analogy for risk.

    Navigating Risk Management Requirements under the EU MDR

    This is a cornerstone of EU MDR 2017/745, requiring a continuous, well-documented approach. We unpack key requirements and provide actionable strategies.

    Dr Peter Boxall Dr Peter Boxall Lead Medical Writer
  53. A doctor operates a tablet computer.

    Beyond the Acronyms: Understanding SaMD and SiMD

    As software advancements continue, the line between traditional hardware-centric medical devices and software-driven solutions becomes increasingly blurred.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  54. A team of profesional-looking people sit around a table, congratulating themselves.

    Extending the Validity of your IVDD Certificates – Key Dates

    The EU and the MHRA have extended the validity of IVDD certificates, allowing you more time to transition to the IVDR. We explain what this means for manufacturers.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  55. A team of profesional-looking people sit around a table, congratulating themselves.

    GSPR 1: A New Era of Performance with Safety at the Core

    This regulation emphasizes risk management, durable design & biocompatibility to ensure medical devices are safe and effective. GSPR 1 protects users while driving innovation in medical technology.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  56. Cybersecurity Vulnerabilities in Medical Devices: FDA Alerts on Contec and Epsimed Monitors

    Patients can be exposed to risks when devices are online. We explore implications for EU MDR/IVDR cybersecurity requirements, including MDCG guidance

    Dr Clare Dixon Dr Clare Dixon Regulatory Specialist
  57. A futuristic-looking factory full of labelled cardboard boxes.

    Decoding UDI: Your Ultimate Guide to Smarter Medical Device Labelling

    The Unique Device Identifier (UDI) ensures medical device traceability and compliance. We break down its structure, Device Identifier (UDI-DI), Production Identifier (UDI-PI) and its role in EUDAMED.

    Kamiya Crabtree Kamiya Crabtree Regulatory Medical Writer
  58. A hospital room full of equipment with futuristic user interfaces.

    IMDRF Sets the Standard: 10 Key Principles for AI-enabled Medical Devices

    Good Machine Learning Practice (GMLP) principles ensure safe devices, covering intended use, clinical evaluation & Human-AI Interaction (HAII).

    Ron Sangal Ron Sangal Lead Medical Writer
  59. A medical team discuss performance data at their desktop computer.

    Key Updates for Navigating EMDN: MDCG 2024-2 Rev.1 & 2021-12 Rev.1

    Release of the updated guidance helps manufacturers navigate the EMDN system for accurate device classification, ensuring market access.

    Ron Sangal Ron Sangal Lead Medical Writer
  60. A dated monitor for medical equipment.

    Understanding Clinical Evidence Requirements with MDCG 2020-6

    How can manufacturers ensure legacy devices meet MDR's stringent requirements? Discover how MDCG 2020-6 guidance simplifies the path to compliance.

    Dr Clare Dixon Dr Clare Dixon Regulatory Specialist
  61. A stethoscope laid on a desk of regulatory documentation.

    Clinical benefits of an in vitro diagnostic medical device

    How to determine the clinical benefit of an IVD and successfully incorporate it into regulatory documentation.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  62. EU flags

    Regulation (EU) 2024/1860 - Its impact on EU MDR and IVDR

    How does the recent Regulation (EU) 2024/1860 amendment affect the EU MDR & IVDR?

    Shona Richardson PhD Shona Richardson PhD Regulatory Project Lead
  63. EU flag

    MDCG 2024-10 - Orphan medical devices

    How to apply MDR pre-market clinical evidence requirements to medical devices intended for limited usage.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  64. Considering a medical device's intended purpose

    A medical device's intended purpose - what is the point?

    How do you define intended purpose, indication for use, intended clinical benefits, and claims?

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  65. Mantra Systems presents EnableChat, your AI-powered MDR & MDCG chatbot

    EnableChat - Your AI-powered MDR and MDCG chatbot

    Search the MDR and MDCG documents in seconds by asking EnableChat your questions.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  66. Searching adverse event databases for vigilance data

    Staying vigilant - A guide to searching for adverse events data

    We discuss the pros and cons of existing adverse event databases for vigilance data searching.

    Dr Simon Cumiskey Dr Simon Cumiskey Senior Lead Medical Writer
  67. A doctor reading an SSCP document with a patient

    What is Summary of Safety and Clinical Performance (SSCP)?

    We explain what the SSCP is, when you'll need it and what its objectives are.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  68. A pile of question marks

    Medical Device 'Significant Changes' – Navigating EU MDR Article 120(3) using MDCG 2020-3 rev. 1

    Understand what changes to your medical device are considered 'significant' under EU MDR (2017/745).

    Shen May Khoo Shen May Khoo Regulatory Project Lead
  69. A signpost giving unsure directions

    MDR or IVDR - A sibling rivalry?

    A guide to easily understanding whether your device is a medical device or an in vitro diagnostic medical device (IVD).

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  70. An EU and UK flag

    What the latest Brexit U-turn means for CE Marking of medical devices in Great Britain

    Will Great Britain continue to allow the use of the CE mark for medical devices beyond the 2024 deadline?

    Dr Hanna Gul Dr Hanna Gul Lead Medical Writer
  71. A woman writing her own medical device regulation documentation

    Gain confidence, reassurance and control over your EU MDR strategy

    Find out how to build your own technical files within a guided framework while minimising financial outlays.

    Dr Gayle Buchel Dr Gayle Buchel Chief Medical Writer
  72. Racing to achieve MDR compliance

    Still racing to achieve MDR compliance? A transition period update

    On January 6th 2023, the EU commission has adopted the proposal to extend the transition rules of the EU MDR.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  73. A 7-step guide to navigating regulatory requirements for medical device start-ups

    A medical device regulations guide for start-up companies

    We present a 7-step guide to navigating regulatory requirements on a budget.

    Paul Hercock Paul Hercock CEO & Founder
  74. An update on UKCA Marking of Medical Devices

    UKCA Marking of Medical Devices – An update on the status quo

    We review recently updated requirements for UKCA marking and what it means for your regulatory strategy.

    Dr Hanna Gul Dr Hanna Gul Lead Medical Writer
  75. How to choose a CER writer for your MDR Clinical Evaluation

    Choosing a CER writer for your MDR Clinical Evaluations

    We've compiled a list of considerations that will help you make the right choice when choosing a CER writer.

    Paul Hercock Paul Hercock CEO & Founder
  76. Achieving MDR Compliance for Class I medical devices

    How to achieve MDR Compliance for Class I medical devices

    We outline a strategy for the regulatory compliance of Class I medical devices.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  77. Literature Search, SOTA Review and Clinical Evaluation

    Literature Search, SOTA Review process and Clinical Evaluation

    We help to demystify the process of systematic search & review of literature for Clinical Evaluation.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  78. Literature Search Protocols & SOTA Reviews for medical devices and what to know before you start

    Literature searches and reviews for medical devices - what to know before you start

    We explain what you should know before beginning a literature search & review for your medical device.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  79. Five useful resources when writing a medical device CER

    Five useful resources when writing a medical device CER

    We outline five of the most useful and trustworthy Clinical Evaluation Report writing resources.

    Victoria Cartwright Victoria Cartwright Relationship Manager
  80. Avoid pitfalls when writing a Clinical Evaluation Report

    Five common pitfalls when writing a Clinical Evaluation Report

    We illustrate five pitfalls when writing CERs and give you some tips to overcome them.

    Paul Hercock Paul Hercock CEO & Founder
  81. How to make a medical device equivalence claim under the MDR

    Five tips for making a medical device equivalence claim under the MDR

    We'll show you what to keep in mind with regards to equivalance and Clinical Evaluation.

    Sandra Gopinath Sandra Gopinath Chief Regulatory Officer
  82. Keeping medical devices in market and maintaining CE-marks - a guide to effective data collection

    Keeping medical devices in market and maintaining CE-marks

    The 4 golden rules to drive regulatory compliance with PMCF and vigilance data collection.

    Paul Hercock Paul Hercock CEO & Founder
  83. How PMCF goes beyond simple compliance - improving products and engaging customers

    How PMCF goes beyond simple compliance

    The wider benefits of a well-designed PMCF system include improving your products and your relationship with your clients.

    Paul Hercock Paul Hercock CEO & Founder
  84. PMCF systems for medical devices

    Why you'll almost certainly need a PMCF system for your medical devices

    We tell you what to be aware of under the EU MDR regarding PMCF and your medical devices.

    Paul Hercock Paul Hercock CEO & Founder
  85. Ensure medical device regulatory compliance of your devices through Brexit

    The impact of Brexit on medical device regulatory compliance

    How to ensure regulatory alignment of your devices in the territories affected by Brexit.

    Paul Hercock Paul Hercock CEO & Founder
  86. Use medical device regulatory consulting services to supercharge your MDR transition

    Is outside consulting support the answer to your MDR transition?

    Getting ready for the MDR is a demanding process. Outsourcing might be your solution.

    Paul Hercock Paul Hercock CEO & Founder
  87. Increasing data entry compliance in PMCF studies

    Increasing data entry compliance in PMCF studies

    5 methods every medical device manufacturer should know to improve their Post-Market Clinical Follow-up studies.

    Paul Hercock Paul Hercock CEO & Founder
  88. Why medical doctors can drive MDR compliance

    Why medical doctors can drive MDR compliance

    Working with the MDR requires knowing how to work with clinical evidence. Medical doctors are perfectly positioned to meet this requirement.

    Victoria Cartwright Victoria Cartwright Relationship Manager
  89. Software as a Medical Device

    Software as a Medical Device

    Unless you have spent time working with medical device legislation in the past, the idea that software could be a medical device may be rather unexpected.

    Paul Hercock Paul Hercock CEO & Founder
  90. clinical investigator for pmcf eu mdr compliance

    Ensuring that clinical investigations work in practice

    How can medical device manufacturers ensure valid clinical investigations when access to medical expertise remains limited?

    Paul Hercock Paul Hercock CEO & Founder
  91. Coronavirus and medical device regulations

    Relaxing medical device regulatory requirements during a healthcare crisis

    During the coronavirus pandemic, how far should we go when relaxing medical device regulatory requirements?

    Paul Hercock Paul Hercock CEO & Founder
  92. The new MDR compliance challenge

    The new MDR compliance challenge

    Across the industry, medical device companies are facing challenges in meeting the demands of the new Medical Device Regulations (MDR) 2017/745 framework.

    Paul Hercock Paul Hercock CEO & Founder
  93. Sources of Real World Evidence for MDR compliance

    Sources of Real World Evidence for MDR compliance

    At Mantra Systems our objective is to make sure that our clients choose the method of real world data harvesting that is right for them.

    Paul Hercock Paul Hercock CEO & Founder

More articles

Need help producing compliant CEPs & CERs? We are offering FREE CEPs to 5 qualifying applicants per week

Get your free CEP